7c09c1630a8fabf414c6b62d87251074df77af8a
[samba.git] / source3 / auth / pampass.c
1 /* 
2    Unix SMB/CIFS implementation.
3    PAM Password checking
4    Copyright (C) Andrew Tridgell 1992-2001
5    Copyright (C) John H Terpsta 1999-2001
6    Copyright (C) Andrew Bartlett 2001
7    Copyright (C) Jeremy Allison 2001
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 /*
24  * This module provides PAM based functions for validation of
25  * username/password pairs, account managment, session and access control.
26  * Note: SMB password checking is done in smbpass.c
27  */
28
29 #include "includes.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_AUTH
33
34 #ifdef WITH_PAM
35
36 /*******************************************************************
37  * Handle PAM authentication 
38  *      - Access, Authentication, Session, Password
39  *   Note: See PAM Documentation and refer to local system PAM implementation
40  *   which determines what actions/limitations/allowances become affected.
41  *********************************************************************/
42
43 #if defined(HAVE_SECURITY_PAM_APPL_H)
44 #include <security/pam_appl.h>
45 #elif defined(HAVE_PAM_PAM_APPL_H)
46 #include <pam/pam_appl.h>
47 #endif
48
49 /*
50  * Structure used to communicate between the conversation function
51  * and the server_login/change password functions.
52  */
53
54 struct smb_pam_userdata {
55         const char *PAM_username;
56         const char *PAM_password;
57         const char *PAM_newpassword;
58 };
59
60 typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr);
61
62 /*
63  *  Macros to help make life easy
64  */
65
66 static char *smb_pam_copy_string(const char *s)
67 {
68         if (s == NULL) {
69                 return NULL;
70         }
71         return SMB_STRDUP(s);
72 }
73
74 static char *smb_pam_copy_fstring(const char *s)
75 {
76         if (s[0] == '\0') {
77                 return NULL;
78         }
79         return SMB_STRDUP(s);
80 }
81
82 /*******************************************************************
83  PAM error handler.
84  *********************************************************************/
85
86 static bool smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl)
87 {
88
89         if( pam_error != PAM_SUCCESS) {
90                 DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
91                                 msg, pam_strerror(pamh, pam_error)));
92                 return False;
93         }
94         return True;
95 }
96
97 /*******************************************************************
98  This function is a sanity check, to make sure that we NEVER report
99  failure as sucess.
100 *********************************************************************/
101
102 static bool smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
103                                             const char *msg, int dbglvl, 
104                                             NTSTATUS *nt_status)
105 {
106         *nt_status = pam_to_nt_status(pam_error);
107
108         if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
109                 return True;
110
111         if (NT_STATUS_IS_OK(*nt_status)) {
112                 /* Complain LOUDLY */
113                 DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
114 error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
115                 *nt_status = NT_STATUS_LOGON_FAILURE;
116         }
117         return False;
118 }
119
120 /*
121  * PAM conversation function
122  * Here we assume (for now, at least) that echo on means login name, and
123  * echo off means password.
124  */
125
126 static int smb_pam_conv(int num_msg,
127                     const struct pam_message **msg,
128                     struct pam_response **resp,
129                     void *appdata_ptr)
130 {
131         int replies = 0;
132         struct pam_response *reply = NULL;
133         struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
134
135         *resp = NULL;
136
137         if (num_msg <= 0)
138                 return PAM_CONV_ERR;
139
140         /*
141          * Apparantly HPUX has a buggy PAM that doesn't support the
142          * appdata_ptr. Fail if this is the case. JRA.
143          */
144
145         if (udp == NULL) {
146                 DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
147                 return PAM_CONV_ERR;
148         }
149
150         reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
151         if (!reply)
152                 return PAM_CONV_ERR;
153
154         memset(reply, '\0', sizeof(struct pam_response) * num_msg);
155
156         for (replies = 0; replies < num_msg; replies++) {
157                 switch (msg[replies]->msg_style) {
158                         case PAM_PROMPT_ECHO_ON:
159                                 reply[replies].resp_retcode = PAM_SUCCESS;
160                                 reply[replies].resp = smb_pam_copy_string(
161                                         udp->PAM_username);
162                                 /* PAM frees resp */
163                                 break;
164
165                         case PAM_PROMPT_ECHO_OFF:
166                                 reply[replies].resp_retcode = PAM_SUCCESS;
167                                 reply[replies].resp = smb_pam_copy_string(
168                                         udp->PAM_password);
169                                 /* PAM frees resp */
170                                 break;
171
172                         case PAM_TEXT_INFO:
173                                 /* fall through */
174
175                         case PAM_ERROR_MSG:
176                                 /* ignore it... */
177                                 reply[replies].resp_retcode = PAM_SUCCESS;
178                                 reply[replies].resp = NULL;
179                                 break;
180
181                         default:
182                                 /* Must be an error of some sort... */
183                                 SAFE_FREE(reply);
184                                 return PAM_CONV_ERR;
185                 }
186         }
187         if (reply)
188                 *resp = reply;
189         return PAM_SUCCESS;
190 }
191
192 /*
193  * PAM password change conversation function
194  * Here we assume (for now, at least) that echo on means login name, and
195  * echo off means password.
196  */
197
198 static void special_char_sub(char *buf)
199 {
200         all_string_sub(buf, "\\n", "", 0);
201         all_string_sub(buf, "\\r", "", 0);
202         all_string_sub(buf, "\\s", " ", 0);
203         all_string_sub(buf, "\\t", "\t", 0);
204 }
205
206 static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass)
207 {
208         fstring_sub(buf, "%u", username);
209         all_string_sub(buf, "%o", oldpass, sizeof(fstring));
210         all_string_sub(buf, "%n", newpass, sizeof(fstring));
211 }
212
213
214 struct chat_struct {
215         struct chat_struct *next, *prev;
216         fstring prompt;
217         fstring reply;
218 };
219
220 /**************************************************************
221  Create a linked list containing chat data.
222 ***************************************************************/
223
224 static struct chat_struct *make_pw_chat(const char *p) 
225 {
226         char *prompt;
227         char *reply;
228         struct chat_struct *list = NULL;
229         struct chat_struct *t;
230         TALLOC_CTX *frame = talloc_stackframe();
231
232         while (1) {
233                 t = SMB_MALLOC_P(struct chat_struct);
234                 if (!t) {
235                         DEBUG(0,("make_pw_chat: malloc failed!\n"));
236                         TALLOC_FREE(frame);
237                         return NULL;
238                 }
239
240                 ZERO_STRUCTP(t);
241
242                 DLIST_ADD_END(list, t, struct chat_struct*);
243
244                 if (!next_token_talloc(frame, &p, &prompt, NULL)) {
245                         break;
246                 }
247
248                 if (strequal(prompt,".")) {
249                         fstrcpy(prompt,"*");
250                 }
251
252                 special_char_sub(prompt);
253                 fstrcpy(t->prompt, prompt);
254                 strlower_m(t->prompt);
255                 trim_char(t->prompt, ' ', ' ');
256
257                 if (!next_token_talloc(frame, &p, &reply, NULL)) {
258                         break;
259                 }
260
261                 if (strequal(reply,".")) {
262                         fstrcpy(reply,"");
263                 }
264
265                 special_char_sub(reply);
266                 fstrcpy(t->reply, reply);
267                 strlower_m(t->reply);
268                 trim_char(t->reply, ' ', ' ');
269
270         }
271         TALLOC_FREE(frame);
272         return list;
273 }
274
275 static void free_pw_chat(struct chat_struct *list)
276 {
277     while (list) {
278         struct chat_struct *old_head = list;
279         DLIST_REMOVE(list, list);
280         SAFE_FREE(old_head);
281     }
282 }
283
284 static int smb_pam_passchange_conv(int num_msg,
285                                 const struct pam_message **msg,
286                                 struct pam_response **resp,
287                                 void *appdata_ptr)
288 {
289         int replies = 0;
290         struct pam_response *reply = NULL;
291         fstring current_prompt;
292         fstring current_reply;
293         struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
294         struct chat_struct *pw_chat;
295         struct chat_struct *t;
296         bool found; 
297         *resp = NULL;
298
299         DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg));
300
301         if (num_msg <= 0)
302                 return PAM_CONV_ERR;
303
304         if ((pw_chat = make_pw_chat(lp_passwd_chat())) == NULL)
305                 return PAM_CONV_ERR;
306
307         /*
308          * Apparantly HPUX has a buggy PAM that doesn't support the
309          * appdata_ptr. Fail if this is the case. JRA.
310          */
311
312         if (udp == NULL) {
313                 DEBUG(0,("smb_pam_passchange_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
314                 free_pw_chat(pw_chat);
315                 return PAM_CONV_ERR;
316         }
317
318         reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
319         if (!reply) {
320                 DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
321                 free_pw_chat(pw_chat);
322                 return PAM_CONV_ERR;
323         }
324
325         for (replies = 0; replies < num_msg; replies++) {
326                 found = False;
327                 DEBUG(10,("smb_pam_passchange_conv: Processing message %d\n", replies));
328                 switch (msg[replies]->msg_style) {
329                 case PAM_PROMPT_ECHO_ON:
330                         DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg));
331                         fstrcpy(current_prompt, msg[replies]->msg);
332                         trim_char(current_prompt, ' ', ' ');
333                         for (t=pw_chat; t; t=t->next) {
334
335                                 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n",
336                                                 t->prompt, current_prompt ));
337
338                                 if (unix_wild_match(t->prompt, current_prompt)) {
339                                         fstrcpy(current_reply, t->reply);
340                                         DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply));
341                                         pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
342 #ifdef DEBUG_PASSWORD
343                                         DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actually sent: %s\n", current_reply));
344 #endif
345                                         reply[replies].resp_retcode = PAM_SUCCESS;
346                                         reply[replies].resp = smb_pam_copy_fstring(
347                                                 current_reply);
348                                         found = True;
349                                         break;
350                                 }
351                         }
352                         /* PAM frees resp */
353                         if (!found) {
354                                 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
355                                 free_pw_chat(pw_chat);
356                                 SAFE_FREE(reply);
357                                 return PAM_CONV_ERR;
358                         }
359                         break;
360
361                 case PAM_PROMPT_ECHO_OFF:
362                         DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg));
363                         fstrcpy(current_prompt, msg[replies]->msg);
364                         trim_char(current_prompt, ' ', ' ');
365                         for (t=pw_chat; t; t=t->next) {
366
367                                 DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n",
368                                                 t->prompt, current_prompt ));
369
370                                 if (unix_wild_match(t->prompt, current_prompt)) {
371                                         fstrcpy(current_reply, t->reply);
372                                         DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
373                                         pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
374                                         reply[replies].resp_retcode = PAM_SUCCESS;
375                                         reply[replies].resp = smb_pam_copy_fstring(
376                                                 current_reply);
377 #ifdef DEBUG_PASSWORD
378                                         DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actually sent: %s\n", current_reply));
379 #endif
380                                         found = True;
381                                         break;
382                                 }
383                         }
384                         /* PAM frees resp */
385
386                         if (!found) {
387                                 DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
388                                 free_pw_chat(pw_chat);
389                                 SAFE_FREE(reply);
390                                 return PAM_CONV_ERR;
391                         }
392                         break;
393
394                 case PAM_TEXT_INFO:
395                         /* fall through */
396
397                 case PAM_ERROR_MSG:
398                         /* ignore it... */
399                         reply[replies].resp_retcode = PAM_SUCCESS;
400                         reply[replies].resp = NULL;
401                         break;
402
403                 default:
404                         /* Must be an error of some sort... */
405                         free_pw_chat(pw_chat);
406                         SAFE_FREE(reply);
407                         return PAM_CONV_ERR;
408                 }
409         }
410
411         free_pw_chat(pw_chat);
412         if (reply)
413                 *resp = reply;
414         return PAM_SUCCESS;
415 }
416
417 /***************************************************************************
418  Free up a malloced pam_conv struct.
419 ****************************************************************************/
420
421 static void smb_free_pam_conv(struct pam_conv *pconv)
422 {
423         if (pconv)
424                 SAFE_FREE(pconv->appdata_ptr);
425
426         SAFE_FREE(pconv);
427 }
428
429 /***************************************************************************
430  Allocate a pam_conv struct.
431 ****************************************************************************/
432
433 static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char *user,
434                                         const char *passwd, const char *newpass)
435 {
436         struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv);
437         struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata);
438
439         if (pconv == NULL || udp == NULL) {
440                 SAFE_FREE(pconv);
441                 SAFE_FREE(udp);
442                 return NULL;
443         }
444
445         udp->PAM_username = user;
446         udp->PAM_password = passwd;
447         udp->PAM_newpassword = newpass;
448
449         pconv->conv = smb_pam_conv_fnptr;
450         pconv->appdata_ptr = (void *)udp;
451         return pconv;
452 }
453
454 /* 
455  * PAM Closing out cleanup handler
456  */
457
458 static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
459 {
460         int pam_error;
461
462         smb_free_pam_conv(smb_pam_conv_ptr);
463
464         if( pamh != NULL ) {
465                 pam_error = pam_end(pamh, 0);
466                 if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
467                         DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n"));
468                         return True;
469                 }
470         }
471         DEBUG(2,("smb_pam_end: PAM: not initialised"));
472         return False;
473 }
474
475 /*
476  * Start PAM authentication for specified account
477  */
478
479 static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv)
480 {
481         int pam_error;
482
483         *pamh = (pam_handle_t *)NULL;
484
485         DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
486
487         pam_error = pam_start("samba", user, pconv, pamh);
488         if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
489                 *pamh = (pam_handle_t *)NULL;
490                 return False;
491         }
492
493 #if HAVE_PAM_RHOST
494         DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost));
495         pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
496         if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
497                 smb_pam_end(*pamh, pconv);
498                 *pamh = (pam_handle_t *)NULL;
499                 return False;
500         }
501 #endif
502 #if HAVE_PAM_TTY
503         DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
504         pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
505         if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
506                 smb_pam_end(*pamh, pconv);
507                 *pamh = (pam_handle_t *)NULL;
508                 return False;
509         }
510 #endif
511         DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
512         return True;
513 }
514
515 /*
516  * PAM Authentication Handler
517  */
518 static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user)
519 {
520         int pam_error;
521         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
522
523         /*
524          * To enable debugging set in /etc/pam.d/samba:
525          *      auth required /lib/security/pam_pwdb.so nullok shadow audit
526          */
527
528         DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
529         pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
530         switch( pam_error ){
531                 case PAM_AUTH_ERR:
532                         DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user));
533                         break;
534                 case PAM_CRED_INSUFFICIENT:
535                         DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
536                         break;
537                 case PAM_AUTHINFO_UNAVAIL:
538                         DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
539                         break;
540                 case PAM_USER_UNKNOWN:
541                         DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
542                         break;
543                 case PAM_MAXTRIES:
544                         DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
545                         break;
546                 case PAM_ABORT:
547                         DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
548                         break;
549                 case PAM_SUCCESS:
550                         DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
551                         break;
552                 default:
553                         DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
554                         break;
555         }
556
557         smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
558         return nt_status;
559 }
560
561 /* 
562  * PAM Account Handler
563  */
564 static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user)
565 {
566         int pam_error;
567         NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
568
569         DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user));
570         pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
571         switch( pam_error ) {
572                 case PAM_AUTHTOK_EXPIRED:
573                         DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
574                         break;
575                 case PAM_ACCT_EXPIRED:
576                         DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user));
577                         break;
578                 case PAM_AUTH_ERR:
579                         DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user));
580                         break;
581                 case PAM_PERM_DENIED:
582                         DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user));
583                         break;
584                 case PAM_USER_UNKNOWN:
585                         DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user));
586                         break;
587                 case PAM_SUCCESS:
588                         DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user));
589                         break;
590                 default:
591                         DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user));
592                         break;
593         }
594
595         smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status);
596         return nt_status;
597 }
598
599 /*
600  * PAM Credential Setting
601  */
602
603 static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user)
604 {
605         int pam_error;
606         NTSTATUS nt_status = NT_STATUS_NO_TOKEN;
607
608         /*
609          * This will allow samba to aquire a kerberos token. And, when
610          * exporting an AFS cell, be able to /write/ to this cell.
611          */
612
613         DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
614         pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT)); 
615         switch( pam_error ) {
616                 case PAM_CRED_UNAVAIL:
617                         DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
618                         break;
619                 case PAM_CRED_EXPIRED:
620                         DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
621                         break;
622                 case PAM_USER_UNKNOWN:
623                         DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user ));
624                         break;
625                 case PAM_CRED_ERR:
626                         DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
627                         break;
628                 case PAM_SUCCESS:
629                         DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user));
630                         break;
631                 default:
632                         DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user));
633                         break;
634         }
635
636         smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status);
637         return nt_status;
638 }
639
640 /*
641  * PAM Internal Session Handler
642  */
643 static bool smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, bool flag)
644 {
645         int pam_error;
646
647 #if HAVE_PAM_TTY
648         DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty));
649         pam_error = pam_set_item(pamh, PAM_TTY, tty);
650         if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0))
651                 return False;
652 #endif
653
654         if (flag) {
655                 pam_error = pam_open_session(pamh, PAM_SILENT);
656                 if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
657                         return False;
658         } else {
659                 pam_setcred(pamh, (PAM_DELETE_CRED|PAM_SILENT)); /* We don't care if this fails */
660                 pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */
661                 if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
662                         return False;
663         }
664         return (True);
665 }
666
667 /*
668  * Internal PAM Password Changer.
669  */
670
671 static bool smb_pam_chauthtok(pam_handle_t *pamh, const char * user)
672 {
673         int pam_error;
674
675         DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user));
676
677         pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */
678
679         switch( pam_error ) {
680         case PAM_AUTHTOK_ERR:
681                 DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n"));
682                 break;
683
684         /* This doesn't seem to be defined on Solaris. JRA */
685 #ifdef PAM_AUTHTOK_RECOVER_ERR
686         case PAM_AUTHTOK_RECOVER_ERR:
687                 DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n"));
688                 break;
689 #endif
690
691         case PAM_AUTHTOK_LOCK_BUSY:
692                 DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n"));
693                 break;
694         case PAM_AUTHTOK_DISABLE_AGING:
695                 DEBUG(2, ("PAM: Authentication token aging has been disabled.\n"));
696                 break;
697         case PAM_PERM_DENIED:
698                 DEBUG(0, ("PAM: Permission denied.\n"));
699                 break;
700         case PAM_TRY_AGAIN:
701                 DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n"));
702                 break;
703         case PAM_USER_UNKNOWN:
704                 DEBUG(0, ("PAM: User not known to PAM\n"));
705                 break;
706         case PAM_SUCCESS:
707                 DEBUG(4, ("PAM: Account OK for User: %s\n", user));
708                 break;
709         default:
710                 DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user));
711         }
712  
713         if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) {
714                 return False;
715         }
716
717         /* If this point is reached, the password has changed. */
718         return True;
719 }
720
721 /*
722  * PAM Externally accessible Session handler
723  */
724
725 bool smb_pam_claim_session(char *user, char *tty, char *rhost)
726 {
727         pam_handle_t *pamh = NULL;
728         struct pam_conv *pconv = NULL;
729
730         /* Ignore PAM if told to. */
731
732         if (!lp_obey_pam_restrictions())
733                 return True;
734
735         if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
736                 return False;
737
738         if (!smb_pam_start(&pamh, user, rhost, pconv))
739                 return False;
740
741         if (!smb_internal_pam_session(pamh, user, tty, True)) {
742                 smb_pam_end(pamh, pconv);
743                 return False;
744         }
745
746         return smb_pam_end(pamh, pconv);
747 }
748
749 /*
750  * PAM Externally accessible Session handler
751  */
752
753 bool smb_pam_close_session(char *user, char *tty, char *rhost)
754 {
755         pam_handle_t *pamh = NULL;
756         struct pam_conv *pconv = NULL;
757
758         /* Ignore PAM if told to. */
759
760         if (!lp_obey_pam_restrictions())
761                 return True;
762
763         if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
764                 return False;
765
766         if (!smb_pam_start(&pamh, user, rhost, pconv))
767                 return False;
768
769         if (!smb_internal_pam_session(pamh, user, tty, False)) {
770                 smb_pam_end(pamh, pconv);
771                 return False;
772         }
773
774         return smb_pam_end(pamh, pconv);
775 }
776
777 /*
778  * PAM Externally accessible Account handler
779  */
780
781 NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
782 {
783         NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
784         pam_handle_t *pamh = NULL;
785         struct pam_conv *pconv = NULL;
786
787         /* Ignore PAM if told to. */
788
789         if (!lp_obey_pam_restrictions())
790                 return NT_STATUS_OK;
791
792         if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
793                 return NT_STATUS_NO_MEMORY;
794
795         if (!smb_pam_start(&pamh, user, rhost, pconv))
796                 return NT_STATUS_ACCOUNT_DISABLED;
797
798         if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
799                 DEBUG(0, ("smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User %s!\n", user));
800
801         smb_pam_end(pamh, pconv);
802         return nt_status;
803 }
804
805 /*
806  * PAM Password Validation Suite
807  */
808
809 NTSTATUS smb_pam_passcheck(const char * user, const char * password,
810                            const char * rhost)
811 {
812         pam_handle_t *pamh = NULL;
813         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
814         struct pam_conv *pconv = NULL;
815
816         /*
817          * Note we can't ignore PAM here as this is the only
818          * way of doing auths on plaintext passwords when
819          * compiled --with-pam.
820          */
821
822         if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
823                 return NT_STATUS_LOGON_FAILURE;
824
825         if (!smb_pam_start(&pamh, user, rhost, pconv))
826                 return NT_STATUS_LOGON_FAILURE;
827
828         if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, user))) {
829                 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", user));
830                 smb_pam_end(pamh, pconv);
831                 return nt_status;
832         }
833
834         if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user))) {
835                 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_account failed - Rejecting User %s !\n", user));
836                 smb_pam_end(pamh, pconv);
837                 return nt_status;
838         }
839
840         if (!NT_STATUS_IS_OK(nt_status = smb_pam_setcred(pamh, user))) {
841                 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_setcred failed - Rejecting User %s !\n", user));
842                 smb_pam_end(pamh, pconv);
843                 return nt_status;
844         }
845
846         smb_pam_end(pamh, pconv);
847         return nt_status;
848 }
849
850 /*
851  * PAM Password Change Suite
852  */
853
854 bool smb_pam_passchange(const char *user, const char *rhost,
855                         const char *oldpassword, const char *newpassword)
856 {
857         /* Appropriate quantities of root should be obtained BEFORE calling this function */
858         struct pam_conv *pconv = NULL;
859         pam_handle_t *pamh = NULL;
860
861         if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL)
862                 return False;
863
864         if(!smb_pam_start(&pamh, user, rhost, pconv))
865                 return False;
866
867         if (!smb_pam_chauthtok(pamh, user)) {
868                 DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user));
869                 smb_pam_end(pamh, pconv);
870                 return False;
871         }
872
873         return smb_pam_end(pamh, pconv);
874 }
875
876 #else
877
878 /* If PAM not used, no PAM restrictions on accounts. */
879 NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
880 {
881         return NT_STATUS_OK;
882 }
883
884 /* If PAM not used, also no PAM restrictions on sessions. */
885 bool smb_pam_claim_session(char *user, char *tty, char *rhost)
886 {
887         return True;
888 }
889
890 /* If PAM not used, also no PAM restrictions on sessions. */
891 bool smb_pam_close_session(char *in_user, char *tty, char *rhost)
892 {
893         return True;
894 }
895 #endif /* WITH_PAM */